Hello, everybody.
Currently I'm struggling to implement something according to
this docs.
For simplicity sake, my test setup is configured with single enrollment agents group and single certificate template. My goal is to prevent enrollment agents from issuing certificates to some priviledged users. To make that happen I have configured two following
permission entries for restricted enrollment agents:
DOMAIN\Domain Users - AllowBUILTIN\Administrators - Deny
And what if particular user is a member (direct or indirect) of BOTH of the above groups? What is the effect of above restrictions? Will the certificate request be allowed or denied? Common sense suggests that the request should be denied. But in my test environment
it is not, which is very confusing. I tried many different combinations of denied/allowed groups and have got contradicting results.
The ultimate question is - what is definitive way to allow enrollment agent to request certificate on behalf of ANY user, EXCEPT members of particular domain security groups (local, global, universal, in this domain, in the whole forest, and including members
of BUILTIN\ groups).
I havent found any particular guidance in Microsoft documentation or otherwise. It would be great if you shed some light on this matter.
Thanks in advance.